In the cloud, an often hazy grasp of security risks

Paresh Dave

When Thomas Trappler talks clouds, companies listen.

But he's not warning about rain. Rather, Trappler is a "cloud" consultant, who tells attorneys, executives and fellow information technology experts what to look out for when they put company databases in the so-called cloud.

As more companies rely on remote cloud servers to store their files, Trappler has become a highly sought-after security advisor, a celebrity of sorts in the rapidly growing cloud computing industry.

"No one's teaching people about this," Trappler said. "At the moment, I don't think there are very many people like me."

Trappler is the director of software licensing at UCLA — a job that opened the door to his lucrative moonlighting.

For years, he had been buying licenses for programs, such as Microsoft Office, so that UCLA faculty, students and staff could use them. But the rules started to change five years ago as these programs moved into the cloud, turning into apps such as Office 365. Trappler studied until he became a go-to expert nationwide.

"It's easy to overlook security because of the virtual nature of the cloud, but really your data is going over the Internet to another computer and not to some magical world where everything's going to be fine," he said.

The $40-billion cloud industry, as measured by the research firm IDC, is attractive to companies. By transferring files via the Internet to a hard drive located in a data center or server farm, users can access the data from any Internet-connected device.

What troubles Trappler is that not every company considers security issues before agreeing to bounce consumers' data onto the cloud services. Half of companies surveyed in December by Ponemon Institute, an independent research firm, reported that they had not taken security risks into account when striking cloud deals.

"What most of us are used to is 'I buy it, I maintain it,'" Trappler said. "If something's broken, I can beat on someone's door down the hall and get them to fix it."

Now "it" and "someone" are far away. "And the question is, how do I ensure they do it right," Trappler said.

With spies after trade secrets, hackers out to steal sensitive financial information and the federal government demanding online communications records, the threats are as prominent and varied as they have ever been.

And companies aren't the only ones at risk. Consumers who use Web applications are caught blind in the middle. They often are not told where their sensitive information is being stored and what precautions are being taken to ensure that it's not seen by the wrong eyes.

For example, Google's Cloud Platform website lists BestBuy.com as a client. But the retailer recently moved customer data off the cloud, spokesman Jonathan Sandler said. Its privacy policy doesn't note where data are stored. The policy does state that Best Buy takes "reasonable security measures to protect the confidentiality of personal information under our control and appropriately limit access to it."

Trappler has advised more than 50 companies and has spoken to hundreds of people at conferences about what qualifies as "reasonable measures." Among his clients have been a pharmaceutical firm from New Jersey, a biotechnology company from Southern California and a higher education system in the Midwest. They could not be named because of confidentiality agreements.

He suggests that companies consider, among other things, encryption methods and reliability of the storage computers. Other possibilities include background checks of the cloud provider's employees and clear notification policies in the event of a breach.

The biggest sticking point in deals is often deciding who's responsible for the repercussions when data are stolen. Companies want cloud providers to pick up the tab, since sometimes they have little insight into security measures.

"The client wants to be able to verify the service provider's security claims," Trappler said. "But the more details they reveal, the less secure the provider's infrastructure becomes."

Some cloud providers certify that they meet standards set by the government or third parties when it comes to storing financial and healthcare data. But few let potential or current clients test physical or digital security. The clients are left feeling insecure, although they may be on the hook if something goes wrong.

David Tollen, author of "The Tech Contracts Handbook," said all a consumer can do is see whether the company he or she is dealing with has a good reputation of trust. "Scale is sometimes a good proxy for knowing a service provider's ability, because a large vendor is likely to have done their due diligence," he said.

Some in the cloud contracting business expect to see more regulations related to cloud storage. But until that happens, people such as Trappler remain important guardians of data.

Trappler and other contracting experts note that buying cloud space is becoming as standard as paying for power, water and Internet service. These utilities are crucial to companies. Yet security concerns at server farms are often beyond their control. But Trappler says companies can push cloud providers to take better care of their precious data.

"It's a perceived diminishment in control," Trappler said of the cloud. "Once you can wrap your head around that, you can start addressing all those risk issues."